On 2013-05-31 16:07, Loïc BLOT wrote:
> Instead of your ugly:
> pass quick on lo0
> use:
> skip lo0
> which is better :)
Thanks, I forgot about skip.
> You must redirect trafic on your lan interface directed to any remote
> 80
> to your lan IP:3129 and also allow tcp 3129 on pf
>
> pass out quick on $lan_if proto tcp to port 80 rdr-to $lan_ip port
> 3129
> pass in quick on $lan_if proto tcp to $lan_ip port 3129
>
> You mustn't redirecto to localhost iface it's bad.
I'd rather not futz around with pf anymore for now, since I don't think
that's where the problem is. (Unless Squid for some reason requires
"http_port...intercept" to be passed through an rdr rule...?) I'd rather
just get the most basic test case working first before involving any pf
rules which might further complicate troubleshooting.
> For normal and transparent you are correct. Have you compiled squid
> with
> --enable-pf-transparent option ? (/usr/local/squid/sbin/squid -v show
> you)
I've got Squid 3.2.7. Here's the output from -v:
configure options: '--enable-shared'
'--datadir=/usr/local/share/squid'
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
'--enable-arp-acl' '--enable-auth' '--enable-auth-basic=NCSA SMB NIS
radius LDAP' '--enable-auth-digest=file LDAP'
'--enable-auth-negotiate=kerberos' '--enable-auth-ntlm=fake smb_lm'
'--enable-delay-pools' '--enable-external-acl-helpers=file_userip
session unix_group wbinfo_group LDAP_group'
'--enable-follow-x-forwarded-for' '--enable-forw-via-db'
'--enable-http-violations' '--enable-icap-client' '--enable-ipv6'
'--enable-referer-log' '--enable-removal-policies=lru heap'
'--enable-ssl' '--enable-stacktraces' '--enable-storeio=aufs ufs diskd '
'--with-default-user=_squid' '--with-filedescriptors=8192'
'--with-pidfile=/var/run/squid.pid' '--with-pthreads'
'--with-swapdir=/var/squid/cache' '--disable-pf-transparent'
'--enable-ipfw-transparent' '--prefix=/usr/local'
'--sysconfdir=/etc/squid' '--mandir=/usr/local/man'
'--infodir=/usr/local/info' '--localstatedir=/var/squid'
'--disable-silent-rules' 'CC=cc' 'CFLAGS=-O2 -pipe'
'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++'
'CXXFLAGS=-O2 -pipe'
...it looks correct for that version, according to
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#NAT_Interception_proxy,
--enable-pf-transparent doesn't work until Squid 3.4,
"--disable-pf-transparent --enable-ipfw-transparent" is the recommended
way for 3.3 and 3.2.
Thanks,
- R.
-- [__ Robert Sheldon [__ No Problem [__ Information technology support and services [__ (530) 575-0278Received on Fri May 31 2013 - 23:58:33 MDT
This archive was generated by hypermail 2.2.0 : Sat Jun 01 2013 - 12:00:07 MDT